>>>>> "MC" == Maurizio Codogno <mau@beatles.cselt.it> writes:
MC> As some pointed out, often it is the client, not the server, which
MC> would like to forget the auth info (but this does not belong to HTTP);
MC> moreover the server cannot be sure that the client forgets the infos.
The proposal is to provide a mechanism whereby the server can direct
the client to discard the user credentials.
Clients should also have other mechanisms for doing the same things
- for example, there should always be some way for the user to
direct a browser to delete any stored credentials (so the user can
leave a shared system without leaving credentials for the next
user).
MC> This all said, shouldn't the server send a cookie (oops, wrong term :-))
MC> which the client should send back together with the usual Authentication:
MC> data?
As I wrote the proposal, 'discard' can't be combined with other uses
of the Authentication-Info header, such as nextnonce; this may have
been a mistake.
--
Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/